b' FEDERAL ELECTION COMMISSION \n\n\n  OFFICE OF INSPECTOR GENERAL \n\n\n\n\n\n            FINAL REPORT \n\n\nAudit of the Federal Election Commission\xe2\x80\x99s \n\n  Fiscal Year 2009 Financial Statements \n\n\n\n\n\n             November 2009 \n\n\n        ASSIGNMENT No. OIG-09-01 \n\n\x0c                  FEDERAL ELECTION COMMISSION\n                  WASHINGTON, D.C. 20463\n                  Office of Inspector General\n\n\n\n\nMEMORANDUM\n\nTO:    \t       The Commission\n\nFROM:          \tInspector General\n\nSUBJECT: \t    Audit of the Federal Election Commission\xe2\x80\x99s Fiscal Year 2009 Financial\n              Statements\n\nDATE: \t        November 13, 2009\n\n\nPursuant to the Chief Financial Officers Act of 1990, commonly referred to as the \xe2\x80\x9cCFO\nAct,\xe2\x80\x9d as amended, this letter transmits the Independent Auditor\xe2\x80\x99s Report issued by Leon\nSnead & Company (LSC), P.C. for the fiscal year ending September 30, 2009. The audit\nwas performed under a contract with, and monitored by, the Office of Inspector General\n(OIG), in accordance with auditing standards generally accepted in the United States of\nAmerica; the standards applicable to financial audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and applicable\nprovisions of Office of Management and Budget (OMB) Bulletin No. 07-04, Audit\nRequirements for Federal Financial Statements, as amended.\n\nOpinion on the Financial Statements\n\nLSC audited the balance sheet of the Federal Election Commission (FEC) as of\nSeptember 30, 2009, and the related statements of net cost, changes in net position,\nbudgetary resources, and custodial activity (the financial statements) for the year then\nended. The objective of the audit was to express an opinion on the fair presentation of\nthose financial statements. In connection with the audit, LSC also considered the FEC\xe2\x80\x99s\ninternal control over financial reporting and tested the FEC\xe2\x80\x99s compliance with certain\nprovisions of applicable laws and regulations that could have a direct and material effect\non its financial statements. The financial statements of the FEC as of September 30,\n2008, were audited by other auditors whose report dated November 7, 2008, expressed an\nunqualified opinion on those statements.\n\nIn LSC\xe2\x80\x99s opinion, the financial statements present fairly, in all material respects, the\nfinancial position, net cost, changes in net position, budgetary resources, and custodial\nactivity of the FEC as of, and for the year ending September 30, 2009, in conformity with\naccounting principles generally accepted in the United States of America.\n\x0cReport on Internal Control\n\nIn planning and performing the audit of the financial statements of the FEC, LSC\nconsidered the FEC\xe2\x80\x99s internal control over financial reporting (internal control) as a basis\nfor designing auditing procedures for the purpose of expressing their opinion on the\nfinancial statements, but not for the purpose of expressing an opinion on the effectiveness\nof the FEC\xe2\x80\x99s internal control. Accordingly, LSC did not express an opinion on the\neffectiveness of the FEC\xe2\x80\x99s internal control.\n\nBecause of inherent limitations in internal controls, including the possibility of\nmanagement override of controls; misstatements, losses, or noncompliance may\nnevertheless occur and not be detected. According to the American Institute of Certified\nPublic Accountants:\n   \xe2\x80\xa2\t A control deficiency exists when the design or operation of a control does not\n       allow management or employees, in the normal course of performing their\n       assigned functions, to prevent or detect misstatements on a timely basis.\n   \xe2\x80\xa2\t A significant deficiency is a control deficiency, or combination of control\n       deficiencies, that adversely affects the entity\xe2\x80\x99s ability to initiate, authorize, record,\n       process, or report financial data reliably in accordance with generally accepted\n       accounting principles such that there is a more than remote likelihood that a\n       misstatement of the entity\xe2\x80\x99s financial statements that is more than inconsequential\n       will not be prevented or detected by the entity\xe2\x80\x99s internal control.\n   \xe2\x80\xa2\t A material weakness is a significant deficiency, or combination of significant\n       deficiencies, that results in more than a remote likelihood that a material\n       misstatement of the financial statements will not be prevented or detected by the\n       entity\xe2\x80\x99s internal control.\n\nLSC\xe2\x80\x99s consideration of internal control was for the limited purpose described in the first\nparagraph in this section and would not necessarily identify all deficiencies in internal\ncontrol that might be significant deficiencies or material weaknesses. LSC did not\nidentify any deficiencies in internal control that LSC would consider to be material\nweaknesses, as defined above. However, LSC identified, as listed below, two\ndeficiencies in internal controls that LSC considers to be significant deficiencies.\n    \xe2\x80\xa2\t Internal Controls over Financial Reporting\n    \xe2\x80\xa2\t Information Technology (IT) Security Control Weaknesses\n\n\nReport on Compliance with Laws and Regulations\n\nFEC management is responsible for complying with laws and regulations applicable to\nthe agency. To obtain reasonable assurance about whether FEC\xe2\x80\x99s financial statements\nare free of material misstatements, LSC performed tests of compliance with certain\nprovisions of laws and regulations, noncompliance which could have a direct and\nmaterial effect on the determination of financial statement amounts, and certain other\nlaws and regulations specified in OMB Bulletin No. 07-04, as amended. LSC did not test\ncompliance with all laws and regulations applicable to FEC.\n\n\n                                               2\n\n\x0cThe results of LSC\xe2\x80\x99s tests of compliance with laws and regulations described in the audit\nreport disclosed an instance of reportable noncompliance that is required to be reported\nunder U.S. generally accepted government auditing standards or OMB guidance.\n\nLSC identified a reportable noncompliance in the area of:\n  \xe2\x80\xa2 Compliance with the Debt Collection Improvement Act\n\n\nAudit Follow-up\n\nThe independent auditor\xe2\x80\x99s report contains recommendations to address deficiencies\nfound by the auditors. Management was provided a draft copy of the audit report for\ncomment and generally concurred with the findings and recommendations. In\naccordance with OMB Circular No. A-50, Audit Follow-up, revised, the FEC\xe2\x80\x99s corrective\naction plan is to set forth the specific action planned to implement the recommendations\nand the schedule for implementation. The Commission has designated the Chief\nFinancial Officer to be the audit follow-up official for the financial statement audit.\n\nOIG Evaluation of Leon Snead & Company\xe2\x80\x99s Audit Performance\n\nWe reviewed LSC\xe2\x80\x99s report and related documentation and made necessary inquiries of its\nrepresentatives. Our review was not intended to enable the OIG to express, and we do\nnot express an opinion on the FEC\xe2\x80\x99s financial statements; nor do we provide conclusions\nabout the effectiveness of internal control or conclusions on FEC\xe2\x80\x99s compliance with laws\nand regulations. However, the OIG review disclosed no instances where LSC did not\ncomply, in all material respects, with Government Auditing Standards.\n\nWe appreciate the courtesies and cooperation extended to LSC and the OIG staff during\nthe audit. If you should have any questions concerning this report, please contact my\noffice on (202) 694-1015.\n\n\n\n\n                                                    Lynne A. McFarland\n                                                    Inspector General\n\nAttachment\n\nCc: \t   Alec Palmer, Acting Staff Director/Chief Information Officer\n        Mary G. Sprague, Chief Financial Officer\n        Thomasenia P. Duncan, General Counsel\n\n\n\n\n                                            3\n\n\x0c FEDERAL ELECTION COMMISSION\n\n      Audit of Financial Statements\n\n        As of and for the Year Ended\n\n            September 30, 2009\n\n\n\n\n                   Submitted By\n\n\n            Leon Snead & Company, P.C.\n\nCertified Public Accountants & Management Consultants\n\x0c                                    TABLE OF CONTENTS\n\n\n\n\n                                                                                                                            Page\n\n\n\nIndependent Auditor\xe2\x80\x99s Report..............................................................................................1\n\n\n       Summary.....................................................................................................................1\n\n\n       Opinion on the Financial Statements ..........................................................................2\n\n\n       Internal Control over Financial Reporting..................................................................2\n\n\n             1. FEC Needs to Improve Internal Controls over Financial Reporting ..............3\n\n\n             2. IT Security Control Weaknesses...................................................................10\n\n\n       Compliance with Laws and Regulations...................................................................20\n\n\n             3. Compliance with Debt Collection Improvement Act ...................................20\n\n\n      Appendix 1 - Status of Prior Year Recommendations...............................................24\n\n\n      Appendix 2 - Agency Response to Draft Report .......................................................26\n\n\x0c\x0cThe following sections discuss in more detail our opinion on the FEC\xe2\x80\x99s financial\nstatements, our consideration of the FEC\xe2\x80\x99s internal control over financial reporting, our\ntests of the FEC\xe2\x80\x99s compliance with certain provisions of applicable laws and regulations,\nand management\xe2\x80\x99s and our responsibilities.\n\nOPINION ON THE FINANCIAL STATEMENTS\n\nWe have audited the accompanying balance sheet of the FEC as of September 30, 2009,\nand the related statements of net cost, changes in net position, budgetary resources, and\ncustodial activity for the year then ended. The financial statements of FEC as of and for\nthe year ended September 30, 2008, were audited by other auditors whose report dated\nNovember 7, 2008, expressed an unqualified opinion on those statements.\n\nIn our opinion, the financial statements referred to above, present fairly, in all material\nrespects, the financial position, net cost, changes in net position, budgetary resources, and\ncustodial activity of the FEC as of and for the year ended September 30, 2009, in\nconformity with accounting principles generally accepted in the United States of\nAmerica.\n\nThe information in the Management\xe2\x80\x99s Discussion and Analysis section is supplementary\ninformation required by accounting principles generally accepted in the United States of\nAmerica or OMB Circular A-136, Financial Reporting Requirements. We have applied\ncertain limited procedures, which consisted principally of inquiries of FEC management\nregarding the methods of measurement and presentation of the supplementary\ninformation and analysis of the information for consistency with the financial statements.\nHowever, we did not audit the information and express no opinion on it. Such\ninformation has not been subjected to the auditing procedures applied in the audit of the\nbasic financial statements and, accordingly, we express no opinion on it.\n\nINTERNAL CONTROL OVER FINANCIAL REPORTING\n\nIn planning and performing our audit of the financial statements of the FEC, as of and for\nthe year ended September 30, 2009, in accordance with auditing standards generally\naccepted in the Unites States of America, we considered the FEC\xe2\x80\x99s internal control over\nfinancial reporting (internal control) as a basis for designing our auditing procedures for\nthe purpose of expressing our opinion on the financial statements, but not for the purpose\nof expressing an opinion on the effectiveness of the FEC\xe2\x80\x99s internal control. Accordingly,\nwe do not express an opinion on the effectiveness of the FEC\xe2\x80\x99s internal control.\n\nBecause of inherent limitations in internal controls, including the possibility of\nmanagement override of controls; misstatements, losses, or noncompliance may\nnevertheless occur and not be detected. A control deficiency exists when the design or\noperation of a control does not allow management or employees, in the normal course of\nperforming their assigned functions, to prevent or detect misstatements on a timely basis.\n\n\n\n\nLeon Snead & Company, P.C.                      2\n\x0cA significant deficiency is a control deficiency, or combination of control deficiencies,\nthat adversely affects the entity\xe2\x80\x99s ability to initiate, authorize, record, process, or report\nfinancial data reliably in accordance with generally accepted accounting principles such\nthat there is a more than remote likelihood that a misstatement of the entity\xe2\x80\x99s financial\nstatements that is more than inconsequential will not be prevented or detected by the\nentity\xe2\x80\x99s internal control. A material weakness is a significant deficiency, or combination\nof significant deficiencies, that results in more than a remote likelihood that a material\nmisstatement of the financial statements will not be prevented or detected by the entity\xe2\x80\x99s\ninternal control.\n\nOur consideration of internal control was for the limited purpose described in the first\nparagraph in this section of the report and would not necessarily identify all deficiencies\nin internal control that might be significant deficiencies or material weaknesses. We did\nnot identify any deficiencies in internal control that we consider to be material\nweaknesses, as defined above. However, we identified, as discussed below, two\ndeficiencies in internal controls that we consider to be significant deficiencies.\n\n   1. FEC Needs to Improve Internal Controls over Financial Reporting\n\n       Several of the deficiencies that impacted FEC\xe2\x80\x99s 2008 financial management\n       operations either had not been fully corrected, or were not corrected until late in\n       fiscal year 2009. We noted additional issues that impacted financial management\n       operations during the 2009 fiscal year. These issues resulted in part because FEC\n       did not have a permanent Chief Financial Officer (CFO), until March 2009 and\n       the Office of the Chief Financial Officer (OCFO) was not fully staffed until late in\n       fiscal year 2009. Taken together, these deficiencies represented a significant\n       deficiency in internal controls over financial reporting.\n\n       a. FEC Needs to Improve Accruals of Accounts Payable\n\n           OCFO personnel did not accrue certain accounts payable at the end of fiscal\n           year 2008 and incorrectly posted these transactions as 2009 fiscal year\n           activity. FEC did not have appropriate processes in place to accrue accounts\n           payable for year-end financial reporting purposes. As a result, costs on FEC\xe2\x80\x99s\n           2009 Statement of Net Cost (SNC) were overstated by approximately\n           $200,000. Conversely, liabilities on the 2008 Balance Sheet and costs on the\n           2008 SNC were understated by this same amount.\n\n           Statement of Federal Financial Accounting Standards (SFFAS) No. 1 provides\n           \xe2\x80\x9cfor financial reporting purposes, liabilities are recognized when goods and\n           services are received or are recognized based upon an estimate of work\n           completed under a contract or agreement.\xe2\x80\x9d SFFAS No. 5, Accounting for\n           Liabilities of the Federal Government, requires liabilities to be recognized\n           when goods and services are received. Under that standard, agencies are\n           required to estimate the work completed under contracts and accrue expenses\n\n\n\n\nLeon Snead & Company, P.C.                       3\n\x0c           and liabilities for goods and services received, even if the agency has not yet\n           been billed.\n\n           We tested a sample of 2009 expense transactions and determined that FEC\n           had not correctly accrued accounts payable at the end of the 2008 fiscal year.\n           We analyzed the impact of these errors and determined that FEC had\n           misstated both the 2009 and 2008 financial statements by including 2008\n           expenses in 2009 account balances. We expanded our tests in this area to\n           determine if similar errors had been made at 2009 year-end, and we did not\n           identify similar problems with the 2009 accrual process.\n\n           We discussed this matter with OCFO personnel who agreed that the\n           transactions should have been accrued and included in the 2008 FEC financial\n           statements. While not material, the transactions also impacted the 2009\n           financial statements. To address this problem, the OCFO developed\n           additional controls and issued new accounting policies that they believe will\n           correct this problem area.\n\n           Recommendations\n\n           1.\t Strengthen controls over the accruals of accounts payable, and ensure that\n               supervisory reviews of accounts payable accruals are performed.\n\n           2.\t Update OCFO policies to incorporate the new strengthened processes for\n               identifying and posting accounts payable accruals.\n\n           Agency Response\n\n           Management partially concurs. Management concurs that it is important to\n           have appropriate controls over the accruals of accounts payable. However,\n           Management notes that the referenced Statement of Federal Financial\n           Accounting Standards (SFFAS) 5, Accounting for Liabilities of the Federal\n           Government, is not the appropriate criteria to cite when discussing\n           deficiencies with accounts payable accruals. Management recognizes that one\n           invoice was improperly excluded from the accounts payable estimate as of\n           September 30, 2008. However, we feel this was an isolated incident and the\n           issue noted is not indicative of a lack of internal controls over financial\n           reporting. In our opinion, the error noted is immaterial to the FY 2008 and\n           FY 2009 financial statements taken as a whole.\n\n           Management believes that the appropriate controls were already in place in\n           FY 2008. However, Management concurs that the operational documentation\n           at the end of FY 2008 lacked clarity. Therefore, during the preparation of the\n           FY 2009 second quarter interim statements, the Office of the Chief Financial\n           Officer (OCFO) proactively strengthened its written procedures for this\n\n\n\n\nLeon Snead & Company, P.C.\t                   4\n\x0c           process of identifying and posting estimated accounts payable. Management\n           notes that the improved written procedures were in place for the remainder of\n           the year. The accounts payable accrual process has since been added to the\n           draft version of the Accounting Manual. Management expects to release the\n           updated Accounting Manual within the next 180 days.\n\n           Auditor Comments\n\n           We identified the deficiency in internal controls over financial reporting\n           during our testing of 2009 transactions. Our statistical sample of 2009\n           transactions identified two invoices that were improperly recorded as\n           expenses in the 2009 fiscal year. As a result of this error, the 2009 financial\n           statements were overstated, and the 2008 financial statements were\n           understated. Since these transactions were selected through a statistically\n           valid method, we believe they represent a deficiency in internal controls, and\n           do not represent \xe2\x80\x9cone isolated incident\xe2\x80\x9d as stated by FEC officials.\n\n           We disagree with FEC officials that appropriate controls were in place in\n           2008. In addition, the ineffective processes which were followed by FEC\n           were in place through a significant portion of fiscal year 2009. This is\n           evidenced by the changes made in the accrual process by FEC to address our\n           Notice of Findings and Recommendations (NFR) issued after the June 30,\n           2009 interim financial statements were issued.\n\n           In our NFR provided to FEC officials, we cited SFFAS No. 1 as the criteria\n           for our NFR. We have added this reference to our finding in this final audit\n           report. SFFAS No. 5, paragraph 3 provides \xe2\x80\x9cThe concept of a liability in this\n           document is consistent with those in Statements Number 1 and 2. The\n           definition amends the stated definition of a liability in SFFAS Number 1.\xe2\x80\x9d In\n           addition, this standard provides the definition and the general principle for\n           recognition for a liability, and is applicable to FEC.\n\n       b. Internal Controls over Purchase Card Purchases\n\n           During 2008, OCFO personnel did not follow appropriate control processes\n           for the review and approval of purchase card invoices. In order to clear out\n           2008 delinquent billings, OCFO personnel researched the transactions and\n           paid about $7,000 to the purchase card vendor for identified transactions. To\n           expedite the work for the remaining amounts, OCFO personnel made\n           payments to clear the delinquent amounts because they could not identify\n           supporting documentation.\n\n           The Treasury Financial Manual, Vol. I, Part 4, Chapter 4500, Government\n           Purchase Cards, states \xe2\x80\x9c\xe2\x80\xa6the cardholder and approving official will review\n           the cardholder statement of account received at the end of each monthly\n\n\n\n\nLeon Snead & Company, P.C.                    5\n\x0c           billing cycle and follow contract procedures for identifying discrepancies.\n           The cardholder statement must be submitted to the designated billing office\n           within a time frame that allows them to process and pay the consolidated\n           invoice within the Prompt Payment Act deadline.\xe2\x80\x9d\n\n           Our review of a statistical sample of transactions processed during fiscal year\n           2009 identified expenses totaling approximately $15,000 that were for the\n           payment of several delinquent purchase card transactions that should have\n           been researched and corrected by the prior card holder during fiscal year\n           2008. While OCFO personnel certified all the transactions as valid purchases,\n           our tests showed that approximately $8,000 were not properly matched to\n           purchase orders, or invoices and receiving reports that supported the payments\n           made. The prior cardholder allowed these accounts to remain unprocessed\n           instead of documenting and reconciling each purchase invoice timely.\n\n           We discussed this matter with OCFO personnel who agreed that the original\n           transactions should have been reconciled by the original cardholder, and\n           matched with proper supporting documents.\n\n           Recommendation\n\n           3.\t Re-emphasize, in writing, to purchase cardholders and managers their\n               responsibilities associated with managing the purchase card program\n               payment process and the need for effective internal controls as discussed\n               in FEC Procurement Procedures.\n\n           Agency Response\n\n           Management concurs that the credit card statement should have been\n           reconciled by the original card holder. However, Management believes that\n           the corrections needed to address this issue have already been put in place.\n           This was an exception to FEC\xe2\x80\x99s approved processes and is not indicative of\n           the FEC purchase card process. Additionally, as part of the corrective action\n           plan prepared in response to the OIG audit, the OCFO is already in the\n           process of revising and strengthening the purchase card procedures.\n\n           Auditor Comments\n\n           FEC officials concur with the finding and that there was an exception to the\n           approved processes. We continue to believe that FEC should reinforce to\n           purchase card holders the internal control processes that should be followed in\n           this important procurement area. This is reinforced by the problems noted by\n           the OIG in its procurement and contract management audit released in\n           September 2009.\n\n\n\n\nLeon Snead & Company, P.C.\t                   6\n\x0c       c.\t Prior Control Weaknesses Impacted Current Operations\n\n           FEC officials addressed two weaknesses reported in the prior year audit report\n           at the beginning of fiscal year 2009. In other cases, corrective actions were\n           not implemented or completed until late in fiscal year 2009. The problems\n           listed below continued to impact FEC financial management operations\n           during a substantial portion of the 2009 fiscal year.\n\n             \xe2\x80\xa2\t The 2008 audit reported that FEC did not have adequate resources and\n                employees with appropriate financial management accounting and\n                reporting skills. The agency experienced turnover in key financial\n                positions during fiscal year 2008 and adequate resources were not\n                always available to fill the vacancies. As a result, the Accounting\n                Officer had to take on some of these responsibilities leaving FEC with\n                insufficient resources to effectively administer quality assurance\n                procedures within their financial reporting environment.\n\n                 Our review determined that the FEC did not fully correct the problem\n                 dealing with the lack of adequate human resources and personnel with\n                 the skill sets needed for an effective financial management operation\n                 until late in the 2009 fiscal year. However, by the end of the 2009 fiscal\n                 year, the FEC had hired a new CFO (March 2009), completed the\n                 restructuring of the OCFO, filled additional positions, and hired a\n                 contractor to assist with accounting operations. In addition, training was\n                 provided to OCFO officials and staff to assist in staff development\n                 throughout the 2009 fiscal year. As of the end of the fiscal year, this\n                 problem would no longer represent a significant deficiency to FEC\xe2\x80\x99s\n                 future financial management operations.\n\n             \xe2\x80\xa2\t FEC did not have a comprehensive policy bulletin or guidance\n                memorandum as required by OMB Circular A-136. FEC had not\n                established a formalized timeline for completing key processes and\n                controls related to the financial statement process.\n\n                 We reviewed the actions that FEC took to address this outstanding issue\n                 during fiscal year 2009. We found that the FEC had issued updated or\n                 new guidance addressing most of the areas where weaknesses were\n                 noted in the prior report. However, we found that a significant portion\n                 of this guidance was not issued until after March 2009, and another key\n                 policy document, the FEC Accounting Manual, was still in draft as of\n                 September 30, 2009.\n\n\n\n\nLeon Snead & Company, P.C.\t                    7\n\x0c           Recommendations\n\n           4.\t Update and issue the Accounting Manual within the next six months.\n\n           5.\t Establish a policy that requires OCFO policies and procedures to be\n               periodically reviewed and updated, such as on a two to three year cycle.\n\n           Agency Response\n\n           Management partially concurs with these recommendations, and noted that a\n           significant amount of work to address these recommendations has already\n           been accomplished. Management does not concur that the accounting manual\n           was in draft as of September 30, 2009.\n\n           Auditor Comments\n\n           Our finding discusses the actions that the FEC took during the 2009 fiscal\n           year to address this 2008 deficiency. As discussed in our finding, significant\n           portions of the overall guidance were not updated or completed until May\n           2009 or later. In addition, the accounting manual provided to us during the\n           audit contained numerous proposed changes, and the OCFO acknowledges in\n           their response to the draft report that the accounting manual would be\n           completely updated in the next 180 days; another indication the manual has\n           not been finalized.\n\n       d.\t Manual Systems Represent Unnecessary Risks to FEC\xe2\x80\x99s Financial\n           Management Operations\n\n           FEC uses a service provider for its general ledger and core financial\n           management system operations. The FEC also uses spreadsheets, database\n           applications, and PeopleSoft to perform selected accounting operations. The\n           financial management processes that utilize significant manual operations\n           include:\n\n             \xe2\x80\xa2\t Collections and Accounts Receivable \xe2\x80\x93 Fines and Penalties.\n                Accounting for collections, accounts receivable, or fines and penalties\n                involves a significant amount of manual operations. The OCFO must\n                request accounts receivable information from three divisions. After the\n                OCFO obtains the relevant information, the data is input into a database.\n                A journal voucher is prepared quarterly and submitted to the service\n                provider to record the accounts receivable information into the FEC\xe2\x80\x99s\n                core accounting system. Collections, however, are processed to the\n                general ledger when the payments are received. Therefore, only at the\n                end of each quarter, after the journal voucher is posted to the general\n\n\n\n\nLeon Snead & Company, P.C.\t                   8\n\x0c                 ledger, does the custodial cash and accounts receivable reflect an\n                 accurate balance.\n\n             \xe2\x80\xa2\t Property and Equipment and Accumulated Depreciation.\n                Our review of PP&E disclosed that FEC is using a combination of\n                automated and manual processes to manage its property. Effective\n                February 1, 2008, capitalized assets are recorded in the general ledger\n                with the use of a flexible posting logic system. FEC also uses an access\n                database to manage FEC\xe2\x80\x99s personal property inventory and to compute\n                depreciation. These entries are then input into the general ledger with a\n                journal voucher.\n\n             \xe2\x80\xa2\t Payroll Reporting.\n                Because the payroll system does not interface with the accounting\n                system, FEC must use a PeopleSoft application that is no longer\n                supported by the vendor. This process also requires FEC to perform\n                manual operations to reconcile the payroll data and prepare journal\n                vouchers to input the payroll data into its accounting system.\n\n           OCFO officials are currently analyzing the financial management operations\n           of FEC and assessing whether the agency should convert these operations to\n           systems operated by its service provider. OCFO is actively working with its\n           two service providers to interface the payroll system and the accounting\n           system.\n\n           Recommendation\n\n           6.\t Partner with FEC service providers to develop a time-phased plan to\n               convert the manual systems and processes to automated systems that are\n               integrated or interfaced with the core accounting system. Establish a goal\n               of converting these systems by the end of 2010.\n\n           Agency Response\n\n           Management concurs that agencies should consider automating manual\n           processes whenever it is appropriate and cost-effective to do so. OCFO has\n           implemented necessary compensating controls to minimize risks of any\n           manual process. However, FEC will continue to evaluate the potential\n           benefits of adopting automated systems and implementing interfaces to\n           streamline financial processes.\n\n           Auditor Comments\n\n           We continue to believe that it is important for FEC to convert its manual\n           processes to automated systems that are integrated or interfaced with the core\n\n\n\n\nLeon Snead & Company, P.C.\t                   9\n\x0c           accounting system. This problem was also reported as part of a material\n           weakness in the 2008 financial statement audit report.\n\n   2. IT Security Control Weaknesses\n\n       The Federal Election Commission (FEC) has corrected several of the significant\n       deficiencies that were identified in the 2008 financial statement audit report, and\n       has developed plans of action and milestones (POA&M) to address all remaining\n       deficiencies identified in that report. However, our 2009 audit of information\n       technology (IT) security controls applicable to FEC\xe2\x80\x99s general support system\n       (GSS) disclosed other internal control weaknesses that FEC needs to address.\n       During our audit, we noted that FEC had contracted with an independent\n       contractor to perform a risk assessment and analysis of controls in the GSS.\n\n       The FEC\xe2\x80\x99s Office of General Counsel provided us with a document that identified\n       that FEC is exempt from all Federal Information Security Management Act\n       (FISMA) requirements, National Institute of Standards and Technology (NIST)\n       publications, Federal Information Processing Standards (FIPS), the\n       E-Government Act, the Paperwork Reduction Act, the Computer Security Act of\n       1987, and OMB Circular A-130, Management of Federal Information Resources,\n       Appendix III, Security of Federal Automated Information Resources, among others.\n       In effect, FEC is exempt from following most federal laws, regulations,\n       standards, and OMB requirements dealing with IT security and related issues.\n\n       In developing standards and guidelines required by law, NIST consults with other\n       federal agencies and offices as well as the private sector to improve information\n       security, to avoid unnecessary and costly duplication of effort, and ensure that\n       NIST publications are complementary with the standards and guidelines\n       employed for the protection of national security systems. In addition to its\n       comprehensive public review and vetting process, NIST collaborates with the\n       Office of the Director of National Intelligence, the Department of Defense, and\n       the Committee on National Security Systems to establish a common foundation\n       for information security across the federal government.\n\n       NIST notes that a common foundation for information security will provide the\n       federal government and their support contractors, more uniform and consistent\n       ways to manage the risk to organizational operations that results from operations\n       and use of information systems. In addition, a common foundation for\n       information security will also provide a strong basis for reciprocal acceptance of\n       security authorization decisions and facilitate information sharing.\n\n       Since FEC is exempt from most federal legislative and OMB directives related to\n       IT security requirements, FEC selects and implements the security controls the\n       agency determines are appropriate for its information system. These internal\n\n\n\n\nLeon Snead & Company, P.C.                    10\n\x0c        agency selections have major implications on the FEC agency-wide IT security\n        program and the operations and assets of the agency.\n\n        In order to determine whether the security controls (security controls are the\n        management, operational, and technical safeguards employed within an\n        organizational information system to protect the confidentiality, integrity, and\n        availability of the system and its information) selected and placed in operation by\n        FEC provided \xe2\x80\x9cadequate security\xe2\x80\x9d, as it pertains to FEC\xe2\x80\x99s GSS, we used the\n        federal government\xe2\x80\x99s recommended minimum security controls for non-national\n        security systems as a \xe2\x80\x9cbest practices\xe2\x80\x9d standard. These minimum security controls\n        are contained in NIST Special Publication (SP) 800-53, Recommended Security\n        Controls for Federal Information Systems and Organizations. OMB Circular\n        A-130, Appendix III, defines \xe2\x80\x9cadequate security\xe2\x80\x9d as security commensurate with the\n        risk and magnitude of the harm resulting from the loss, misuse, or unauthorized\n        access to or modification of information.\n\n        We performed tests of selected minimum security controls in all seventeen\n        security requirements indentified for federal information and information systems\n        in FIPS 200, Minimum Security Requirements for Federal Information and\n        Information Systems. Our tests were accomplished through analysis of documents\n        and/or data provided to us by the FEC Office of the Chief Information Officer\n        (OCIO), interviews with OCIO personnel, including the Chief Information\n        Security Officer (CISO), walk-through of operations, other tests and analysis, and\n        review of the FEC\xe2\x80\x99s independent contractor report on security risks identified in\n        FEC\xe2\x80\x99s GSS. 1\n\n        The results of our review of IT security controls, and the corrective actions\n        planned by FEC, if applicable, are discussed below.\n\n        a.\t Actions Taken to Address Deficiencies Reported in the 2008 Financial\n            Statement Report\n\n            We reviewed the significant deficiencies reported in the above cited report\n            and FEC\xe2\x80\x99s plan of action and milestones (POA&M), and performed tests to\n            determine if FEC had corrected the prior reported deficiencies. In summary,\n            we found that FEC had corrected most of the problems reported. We\n            determined that the OCIO had prepared a detailed POA&M for each\n            deficiency, identified personnel responsible for the corrective actions,\n            established target dates for key milestones, and monitored the POA&M. The\n            table below details those areas where corrective actions are still ongoing.\n\n\n\n\n1\n FEC \xe2\x80\x93 Local Area Network (General Support System), Risk Assessment, dated December 24, 2008,\ncompleted by an independent contractor under contract with FEC.\n\n\n\n\nLeon Snead & Company, P.C.\t                        11\n\x0c                  Issue Reported                  FEC Actions                   LSC Testing and\n                                                                                  Conclusions\n              Users who had left the        FEC advised that it would      We found that FEC had made\n              organization retained         strengthen controls to         improvements, but had not\n              active accounts.              ensure that this area is       corrected the issue completely.\n                                            corrected.                     This issue remains open.\n\n              FEC has not yet fully         FEC has received funding       We found that FEC had made\n              developed contingency         to deploy phase I of its       improvements, but had not\n              planning and Continuity of    POA&M. Phase I enables         corrected the issue completely.\n              Operations Plans (COOP)       FEC to complete the test       This issue remains open.\n              processes. In discussions     plan and schedule exercises\n              with OCIO personnel, we       necessary to test the\n              were advised that FEC had     contingency plan. FEC\n              developed a multi-phased      estimates that the exercises\n              plan to address these         and testing should begin in\n              deficiencies.                 early 2010. The last phase\n                                            of FEC\xe2\x80\x99s contingency\n                                            planning process entails the\n                                            development of a COOP\n                                            plan. This part has not yet\n                                            been funded and it is\n                                            estimated that the COOP\n                                            will not be completed until\n                                            the end of fiscal year 2010.\n\n\n\n              PeopleSoft application is     FEC uses the system to         We discussed this matter with\n              currently running Oracle      process payroll accounting     Director of Accounting.\n              Release 8i and this version   data from NFC 2, and           OCFO personnel advised that\n              is no longer supported.       generates a journal voucher    they are working with the NFC\n                                            to make the accounting         and GSA to integrate the NFC\n                                            entries in the GSA             data with the GSA accounting\n                                            accounting system. FEC is      system. While this issue is not\n                                            working with NFC and           addressed, the actions taken by\n                                            GSA to create an interface     FEC will result in corrective\n                                            between NFC and GSA.           action in the near future.\n                                            FEC believes that this will    However, this issue remains\n                                            be accomplished by the end     open.\n                                            of the fiscal year.\n\n            OCIO officials advised us that although the vendor no longer provides support\n            for this version of Oracle, it does provide limited support, which includes\n            assisting customers with \xe2\x80\x9cwork-arounds\xe2\x80\x9d that may arise. OCIO officials also\n            advised that, in addition to FEC\xe2\x80\x99s considerable experience with this product,\n            the FEC has tested and maintains Oracle 8i applications and data backups\n\n\n2\n The National Finance Center, a component of the Department of Agriculture, provides payroll systems\nservices for FEC.\n\n\n\n\nLeon Snead & Company, P.C.                            12\n\x0c           allowing it to restore any database to a useable state in the event of any\n           problem.\n\n       b. Access Controls Need Strengthening\n\n           Because FEC does not have the necessary software to identify a user\xe2\x80\x99s\n           specific access authorities, FEC has been unable to perform periodic reviews\n           of users\xe2\x80\x99 access authorities. Best practices identify periodic, (at least annual),\n           review of access authorities granted to users as a key control practice. This\n           process provides a key control technique to ensure access authorities remain\n           current, since users frequently change positions and errors can occur when\n           inputting access authorities. Without periodic re-certifications of the user\xe2\x80\x99s\n           access, any improper access could continue indefinitely.\n\n           We discussed this issue with the CISO who agreed that FEC needs to perform\n           the required review of access controls. The CISO advised that the FEC\n           obtained the necessary software on October 20, 2009, and once the\n           configuration and testing of the software is completed, the periodic review of\n           access controls will begin.\n\n           We tested the FEC\xe2\x80\x99s current account settings against the minimum settings\n           required by best practices and identified exceptions relating to password\n           history enforcement, maximum password age, and minimum password age.\n\n           We also compared FEC\xe2\x80\x99s controls for remote access to the best practice\n           requirements and found that FEC had not implemented sufficient controls for\n           its dial-up access. For a moderate risk system, such as FEC\xe2\x80\x99s GSS, best\n           practices require the organization to employ automated mechanisms to\n           facilitate the monitoring and control of remote access methods; use\n           cryptography to protect the confidentiality and integrity of remote access\n           sessions; control all remote accesses through a limited number of managed\n           access control points; permit remote access for privileged functions only for\n           compelling operational needs; document the rationale for such access in the\n           security plan for the information system; and employ multifactor\n           authentication.\n\n           We determined that the dial-up access for FEC currently does not meet any of\n           these benchmarks. In contrast, FEC requires personnel who access the\n           network through connections other than dial-up access, to use multi-factor\n           authentication, a virtual private network (VPN) connection, and full disk\n           encryption. The CISO advised that the FEC does not believe that remote\n           access controls discussed in best practices are applicable to FEC\xe2\x80\x99s dial-up\n           access.\n\n\n\n\nLeon Snead & Company, P.C.                     13\n\x0c           NIST SP 800-53 (AC-17 Remote Access) provides that \xe2\x80\x9cRemote access is any\n           access to an organizational information system by a user\xe2\x80\xa6communicating\n           through an external network (e.g., the Internet). Examples of remote access\n           methods include dial-up, broadband, and wireless.\xe2\x80\x9d As noted above, the\n           controls, in our opinion, are applicable to FEC\xe2\x80\x99s dial-up access.\n\n       c.\t Continuous Monitoring\n\n           Government Accountability Office\xe2\x80\x99s (GAO) \xe2\x80\x9cStandards for Internal Control\n           in the Federal Government\xe2\x80\x9d documents the five standards of internal control.\n           One of these standards requires agencies to assure that ongoing monitoring\n           occurs in the course of normal operations. Under the standard, monitoring is\n           to be performed continually and is ingrained in the agency\xe2\x80\x99s operations. A\n           continuous monitoring program includes an ongoing assessment of security\n           control effectiveness to determine if the current deployed set of security\n           controls need to be modified or updated based on changes in the information\n           system or its operational environment.\n\n           We reviewed the continuous monitoring program of FEC, and the independent\n           contractor\xe2\x80\x99s risk assessment of FEC\xe2\x80\x99s general support system, and noted the\n           following problems:\n\n               \xe2\x80\xa2\t Access controls \xe2\x80\x93 FEC was not monitoring the role of remote users\n                  who had accessed the FEC LAN.\n               \xe2\x80\xa2\t Audit and Accountability controls \xe2\x80\x93 FEC had not established routine\n                  review procedures for FEC\xe2\x80\x99s general support system audit logs in\n                  order to identify inappropriate or suspicious activity.\n               \xe2\x80\xa2\t Risk Assessment \xe2\x80\x93 FEC had not established and documented the\n                  frequency of vulnerability scans throughout the enterprise, or\n                  established a continuous monitoring capability that incorporated at\n                  least quarterly vulnerability scans of FEC\xe2\x80\x99s network and workstations.\n\n           FEC\xe2\x80\x99s current processes call for a service provider to perform vulnerability\n           scanning of the FEC external network quarterly. The service provider\n           performed scans in June 2008 and December 2008; however, the agency did\n           not maintain documentation to support correction of the weaknesses identified\n           in the scans. Our review of these scans showed that several of the same\n           problems were identified in both scans.\n\n           FEC does not perform scanning of workstations and devices attached to the\n           network. Therefore, vulnerability identification, patch levels, and compliance\n           with security configurations would not be identified through FEC\xe2\x80\x99s current\n           scanning processes. OCIO officials confirmed that FEC has not yet\n           performed scanning in these areas.\n\n\n\n\nLeon Snead & Company, P.C.\t                  14\n\x0c           OCIO officials have established a POA&M to address the problems noted\n           above.\n\n       d.\t Federal Desktop Core Configuration Compliance Not Implemented\n\n           FEC has not implemented best practices and OMB mandated security\n           requirements for its desktop workstations. These security requirements have\n           been generally accepted as providing necessary strengthening of the federal IT\n           systems. OMB has issued guidance, dating from March 2007 that requires all\n           federal agencies to implement the Federal Desktop Core Configuration\n           (FDCC) security configuration. Federal agencies are required to adopt all of\n           the minimum settings in order to be compliant. FDCC settings are\n           substantially more restrictive than the current FEC settings. Some security\n           enhancements that are required by FDCC include the following:\n\n               \xe2\x80\xa2\t Running the system as a standard user and not as administrator.\n               \xe2\x80\xa2\t Establishing a minimum 12 character password and requiring the\n                  password to change every 60 days.\n               \xe2\x80\xa2\t Disabling wireless service.\n               \xe2\x80\xa2\t Setting the system cryptograph to use FIPS compliant algorithms for\n                  encryption, hashing, and signing.\n               \xe2\x80\xa2\t Disallowing drivers that are not digitally signed by Microsoft.\n\n       e.\t Personnel Security Controls Strengthened but Gaps Remain\n\n           FEC has policies and procedures in place to ensure that personnel who\n           separated from the agency had their network accesses timely removed. For\n           fiscal year 2009, we compared the list of personnel who separated from the\n           agency within a three-month period to the dates that each person\xe2\x80\x99s network\n           access was terminated. Network access was cancelled by the next business\n           day for nine of the ten individuals who had separated during this period;\n           however, network access for one individual was not removed for\n           approximately three months after the individual had separated from FEC.\n           OCIO personnel attributed the problem to oversight, has reviewed the\n           circumstances surrounding the discrepancy, and advised that the OCIO has\n           implemented compensating controls to ensure that the problem does not recur.\n\n       f.\t Interconnection Agreements Not Completed\n\n           Agencies using best practices require providers of external information system\n           services to comply with organizational information security requirements and\n           employ appropriate security controls in accordance with applicable\n           federal laws, Executive Orders, directives, policies, regulations, standards,\n           and guidance.     Best practices define government oversight and user\n\n\n\n\nLeon Snead & Company, P.C.\t                  15\n\x0c           responsibilities for external information system services. They also establish\n           requirements for monitoring security controls.\n\n           An external information system service is implemented outside of the\n           authorization boundary of the organizational information system. For services\n           external to the organization, a chain of trust requires that the organization\n           establish and retain a level of confidence that each participating provider\n           maintains adequate protection for the services rendered to the organization.\n           Service-level agreements define the expectations of performance for each\n           required security control, describe measurable outcomes, and identify\n           remedies and response requirements for any identified instance of\n           noncompliance.\n\n           We reviewed the service providers and contractors currently used by the FEC,\n           and noted that only one of the three entities, the National Finance Center, had\n           an agreement with FEC that complied with the best practice requirements set\n           out above.\n\n           FEC has established a POA&M to correct this issue.\n\n       g. Policies and Procedures Should be Established to Meet Best Practices\n\n           As noted above, the FEC\xe2\x80\x99s Office of General Counsel provided us with a\n           document that identified that FEC is exempt from all FISMA requirements,\n           National Institute of Standards and Technology (NIST) publications, Federal\n           Information Processing Standards (FIPS), E-Government Act, Paperwork\n           Reduction Act, Computer Security Act of 1987, and OMB Circular A-130,\n           Appendix III, Security of Federal Automated Information Resources, among\n           others.\n\n           OMB has released extensive guidance on required IT security requirements to\n           all federal governmental entities through circulars, bulletins, and memoranda.\n           Much of this guidance cites as authoritative sources the laws and regulations\n           that the FEC\xe2\x80\x99s Office of General Counsel (OGC) has determined that FEC is\n           exempt from compliance. These determinations cite legal authorities, and do\n           not deal with the appropriateness of whether these requirements (controls)\n           would further strengthen FEC\xe2\x80\x99s IT security program. For some areas, such as\n           accounting requirements, OGC has noted that the FEC may use the exempted\n           document as a model.\n\n           Currently, the FEC must analyze each document released by OMB and other\n           authoritative sources, and determine whether FEC is required to implement\n           the guidance, and if exempt, whether the FEC should adopt the controls. In\n           effect, this process requires FEC to independently establish a separate IT\n           control standard settings process for FEC.\n\n\n\n\nLeon Snead & Company, P.C.                    16\n\x0c           We identified a prior OIG audit, dated December 2007, Assignment No.\n           OIG-07-02, Report on the 2007 Performance Audit of the Federal Election\n           Commission\xe2\x80\x99s Compliance with Section 522 of the Consolidated\n           Appropriations Act, 2005, that reported concerns similar to ours. The report\n           concluded that deficiencies identified in the report were attributable to two\n           main factors, one cause was the \xe2\x80\x9c\xe2\x80\xa6lack of an overall risk-based compliance\n           and governance framework at the FEC.\xe2\x80\x9d\n\n           The report stated that \xe2\x80\x9cFEC decisions on whether to adhere to IT \xe2\x80\xa6 security\n           federal government guidelines often appear to be made based on legal\n           interpretations of laws and OMB memorandums, rather than on sound risk\n           management.\xe2\x80\x9d The report noted that this is supported by evaluating the\n           significant legal resources that management assigned to decision making\n           compared with limited resources for risk management activities. The report\n           cited as an example, management\xe2\x80\x99s decision not to perform privacy impact\n           assessments. This decision was made based on an FEC OGC opinion that the\n           FEC did not legally have to comply with this requirement, rather than on\n           sound risk management.\n\n           The prior report noted, and we confirmed, that other federally appropriated\n           organizations that are exempt from FISMA and NIST guidelines have\n           formally adopted these requirements as a matter of best practice to help ensure\n           that sound internal controls are established and followed.\n\n           Our review of FEC\xe2\x80\x99s guidelines, standards and polices noted that the IT\n           security program procedures do not reference any authoritative requirements\n           or standards. FEC procedures are not formatted to follow federal standards,\n           and do not address many of the specific minimum control techniques required\n           by best practices. In addition, we noted that the FEC standards, policies and\n           guidance are usually not dated, authenticated with a signature, or include a\n           date when the documents will be updated.\n\n       h. Configuration Management\n\n           We reviewed the independent contractor\xe2\x80\x99s report on the IT security control\n           requirement for configuration management.         We noted the following\n           configuration management deficiencies were identified: FEC does not have a\n           formal Change Control Process in place to include proper review and sign-off\n           from all responsible managers; and mandatory configuration settings for\n           system components are not currently established; and hardening guidelines are\n           not in place to ensure system components are configured to the most\n           restrictive settings.\n\n           FEC has developed a POA&M to address these deficiencies.\n\n\n\n\nLeon Snead & Company, P.C.                    17\n\x0c           Recommendations\n\n           7.\t Formally adopt as a model for FEC the NIST IT security controls\n               established in FIPS 200, Minimum Security Requirements for Federal\n               Information and Information Systems, and SP 800-53, Recommended\n               Security Controls for Federal Systems and Organizations.\n           8.\t Perform an annual independent assessment to determine whether FEC\xe2\x80\x99s\n               agency-wide IT security program meets minimum security controls\n               established by NIST.\n\n           9.\t Implement a process to require users\xe2\x80\x99 supervisors to recertify a user\xe2\x80\x99s\n               access authorities annually, and maintain documentation to support actions\n               taken to address any changes required by the reviews.\n\n          10. Adopt\t Federal Desktop Core Configuration (FDCC) standards and\n              implement these standards by the end of the 2010 fiscal year.\n\n          11. Include workstations and devices attached to the network in periodic scans\n              performed by FEC.\n\n          12. Maintain documentation showing actions taken to address the problems\n              identified by the vulnerability scans.\n\n          13. Implement best practice controls over FEC\xe2\x80\x99s dial-up access.\n\n          14. Review\t the circumstances surrounding the untimely removal of the\n              separated employee\xe2\x80\x99s access to FEC\xe2\x80\x99s network, and ensure controls are in\n              place to remove the employee\xe2\x80\x99s access immediately upon departure.\n\n          15. Develop an OCIO policy that requires standards, guidelines and policies to\n              be dated, authenticated with a signature, and scheduled for review and\n              update.\n\n          16. Prepare a detailed POA&M for items identified in the risk assessment of\n              the GSS.\n\n       Agency Response\n\n       Management concurs with recommendations 9, 10, 11, 12, 14, 15, and 16.\n       Management did not concur with recommendations 7, 8, and 13. Concerning\n       recommendations 7 and 8, FEC officials noted that it is already closely mirroring\n       the NIST framework; uses the IT security controls in FIPS 200 and SP 800-53 as\n       guidance; and deviates from the model only after careful evaluation. FEC\n       officials noted that FEC is developing a continuous monitoring program and uses\n       the NIST documentation as guidance. Management did not concur with\n\n\n\nLeon Snead & Company, P.C.\t                  18\n\x0c       recommendation 13. FEC dial-up users make a direct connection to the FEC\xe2\x80\x99s\n       modem pool when establishing a remote connection. Thus, an encrypted line is\n       not necessary, and the cost of adding additional overhead caused by encryption\n       outweighs the benefits to an already slow communications link.\n\n       Auditor Comments\n\n       We continue to believe that FEC should implement recommendation 13. NIST\n       SP 800-53 (AC-17 Remote Access) provides that \xe2\x80\x9cRemote access is any access to\n       an organizational information system by a user\xe2\x80\xa6communicating through an\n       external network (e.g., the Internet). Examples of remote access methods include\n       dial-up, broadband, and wireless.\xe2\x80\x9d We believe that the dial-up is an external\n       connection and the control requirements are applicable to FEC\xe2\x80\x99s dial-up access.\n\n       Concerning recommendations 7 and 8, we recognized in the finding that the FEC\n       engaged an independent contractor to assess its general support system, using\n       NIST SP 800-53 minimum security controls as a basis for the assessment. We\n       reviewed the assessment report and related documentation; FEC\xe2\x80\x99s POA&M that\n       was prepared to address the weaknesses identified by the assessment; and\n       performed independent tests of many of the NIST SP 800-53 minimum security\n       control requirements. Our review identified that the assessment tested 168 control\n       areas, and concluded whether the controls were implemented, partially\n       implemented, not implemented, planned to be implemented, or not applicable to\n       the FEC environment. In addition, we noted that included in the independent\n       contractor\xe2\x80\x99s report was a disclaimer, noting that while the risk assessment used\n       NIST Publications as a guide, the FEC maintains its exemption from NIST and\n       FISMA.\n\n       The independent contractor\xe2\x80\x99s assessment report concluded that 82 controls were\n       implemented, 28 were partially implemented, 19 were not implemented, 20 were\n       planned to be implemented, and 19 were not applicable to FEC\xe2\x80\x99s IT environment.\n       These results indicate that approximately 44 percent of the controls applicable to\n       FEC\xe2\x80\x99s IT environment were not fully implemented at the time of the review. We\n       reviewed the FEC\xe2\x80\x99s POA&M prepared as part of this assessment, and noted that\n       the document consolidated the control weaknesses identified in the contractor\xe2\x80\x99s\n       report into 23 areas that needed to be corrected. Of this number, 8 were rated as\n       high risk, 14 were rated as moderate risk, and 1 as low risk.\n\n       As noted in our audit, and in the independent contractor\xe2\x80\x99s assessment, FEC has\n       not fully implemented a significant number of the minimum IT security control\n       requirements established by best practices. During our audit, we did not locate\n       any policies or procedures, or supporting documentation, that showed either what\n       analytical reviews are required or were performed, to support FEC\xe2\x80\x99s\n       determination that a specific control requirement should not be adopted or\n       implemented. To illustrate, we discussed with FEC officials the lack of\n\n\n\n\nLeon Snead & Company, P.C.                   19\n\x0c       compliance with FDCC requirements concerning password settings that OMB has\n       mandated that all Federal agencies adopt. We were advised that FEC users would\n       not support moving from the current password settings to the FDCC required\n       settings, and FEC could not commit to implementing the substantially\n       strengthened password settings. FEC\xe2\x80\x99s current password settings are substantially\n       less rigid than the mandated FDCC settings.\n\n       In summary, we believe that unless the FEC formally adopts the NIST minimum\n       security requirements, the FEC will continue to be at unnecessary risk.\n\nA summary of the status of prior year recommendations is included in this report as\nAppendix 1.\n\nWe noted another control deficiency over financial reporting and its operation that we\nhave reported to the management of the FEC and those charged with governance in a\nseparate management letter dated November 13, 2009.\n\nCOMPLIANCE WITH LAWS AND REGULATIONS\n\nThe results of our tests of compliance with certain provisions of laws and regulations, as\ndescribed in the Responsibilities section of this report, disclosed an instance of reportable\nnoncompliance that is required to be reported under Government Auditing Standards and\nOMB Bulletin 07-04 (as amended).\n\n   3. Compliance with Debt Collection Improvement Act\n\n       FEC does not refer all delinquent debt to the U.S. Department of the Treasury as\n       required by the Debt Collection Improvement Act of 1996 (DCIA). Only debts\n       administered by the Office of Administrative Review (OAR) are referred to\n       Treasury for collection. Receivables administered by the Office of General\n       Counsel (OGC) and the office of Alternative Dispute Resolution (ADR) are\n       collected within FEC. Our review identified several cases in which the delinquent\n       debt had not been referred to Treasury or reported to credit bureaus as required.\n       As a result, FEC is not in full compliance with the DCIA and OMB Circular\n       A-129, Policies for Federal Credit Programs and Non-Tax Receivables,\n       November 2000, as revised.\n\n       Recommendation\n\n       17.\t FEC should develop and enforce policies and procedures for debt collection\n            that will ensure compliance with the DCIA and OMB A-129.\n\n\n\n\nLeon Snead & Company, P.C.\t                     20\n\x0c       Agency Response\n\n       Management concurs with this recommendation, and on November 5, it presented\n       to the Commission\xe2\x80\x99s Regulations Committee the need to establish policies and\n       procedures to ensure full compliance with the DCIA and OMB A-129.\n\n       Auditor Comments\n\n       Since FEC fully concurs with this finding and recommendation, we have no\n       additional comments.\n\nRESPONSIBILITIES\n\nManagement Responsibilities\n\nManagement of the FEC is responsible for: (1) preparing the financial statements in\nconformity with generally accepted accounting principles; (2) establishing, maintaining,\nand assessing internal control to provide reasonable assurance that the broad control\nobjectives of the Federal Managers Financial Integrity Act (FMFIA) are met; and\n(3) complying with applicable laws and regulations. In fulfilling this responsibility,\nestimates and judgments by management are required to assess the expected benefits and\nrelated costs of internal control policies.\n\nAuditor Responsibilities\n\nOur responsibility is to express an opinion on the financial statements based on our audit.\nWe conducted our audit in accordance with auditing standards generally accepted in the\nUnited States of America; the standards applicable to financial audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States;\nand OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements (as\namended). Those standards require that we plan and perform the audit to obtain\nreasonable assurance about whether the financial statements are free of material\nmisstatement.\n\nAn audit includes (1) examining, on a test basis, evidence supporting the amounts and\ndisclosures in the financial statements; (2) assessing the accounting principles used and\nsignificant estimates made by management, as well as evaluating the overall financial\nstatement presentation. We believe that our audit provides a reasonable basis for our\nopinion.\n\nIn planning and performing our audit, we considered the FEC\xe2\x80\x99s internal control over\nfinancial reporting by obtaining an understanding of the agency\xe2\x80\x99s internal control,\ndetermining whether internal controls had been placed in operation, assessing control\nrisk, and performing tests of controls in order to determine our auditing procedures for\nthe purpose of expressing our opinion on the financial statements.\n\n\n\n\nLeon Snead & Company, P.C.                    21\n\x0cWe limited our internal control testing to those controls necessary to achieve the\nobjectives described in OMB Bulletin 07-04 (as amended) and Government Auditing\nStandards. We did not test all internal controls relevant to operating objectives as broadly\ndefined by FMFIA. Our procedures were not designed to provide an opinion on internal\ncontrol over financial reporting. Consequently, we do not express an opinion thereon.\n\nAs required by OMB Bulletin 07-04 (as amended), with respect to internal control related\nto performance measures determined to be key and reported in Management\xe2\x80\x99s Discussion\nand Analysis, we made inquiries of management concerning the methods of preparing the\ninformation, including whether it was measured and presented within prescribed\nguidelines; changes in the methods of measurement or presentation from those used in\nthe prior period(s) and the reasons for any such changes; and significant assumptions or\ninterpretations underlying the measurement or presentation. We also evaluated the\nconsistency of Management\xe2\x80\x99s Discussion and Analysis with management\xe2\x80\x99s responses to\nthe foregoing inquiries, audited financial statements, and other audit evidence obtained\nduring the examination of the financial statements. Our procedures were not designed to\nprovide assurance on internal control over reported performance measures, and,\naccordingly, we do not provide an opinion thereon.\n\nAs part of obtaining reasonable assurance about whether the agency\xe2\x80\x99s financial\nstatements are free of material misstatement, we performed tests of its compliance with\ncertain provisions of laws, regulations, and significant provisions of contracts,\nnoncompliance with which could have a direct and material effect on the determination\nof financial statement amounts, and certain other laws and regulations specified in OMB\nBulletin 07-04 (as amended). We limited our tests of compliance to these provisions and\nwe did not test compliance with all laws and regulations applicable to the FEC.\nProviding an opinion on compliance with certain provisions of laws, regulations, and\nsignificant contract provisions was not an objective of our audit and, accordingly, we do\nnot express such an opinion.\n\nAGENCY COMMENTS AND AUDITOR EVALUATION\n\nWe have incorporated the agency\xe2\x80\x99s response to our audit recommendations in the report,\nand have attached a copy of the response, in its entirety, as Appendix 2 to this report. In\naddition, we have added, where appropriate, auditor comments to address the issues\nraised by FEC in its response.\n\nHowever, the FEC\xe2\x80\x99s written response to the significant deficiencies identified in our audit\nhas not been subjected to the auditing procedures applied in the audit of the financial\nstatements and, accordingly, we express no opinion on whether the actions proposed will\nremediate the problems noted.\n\n\n\n\nLeon Snead & Company, P.C.                     22\n\x0c\x0c                                                                                                Appendix 1\n\n                                 Status of Prior Year Recommendations\n\n                           Recommendation                                                 Status as of\n                                                                                      September 30, 2009\n1. Fill vacant positions within the OCFO as soon as possible. Ensure that the         Recommendation closed.\n   individuals possess analytical, Federal accounting and financial reporting\n   knowledge and experience to enhance the FEC\xe2\x80\x99s ability to comply with\n   accounting and financial reporting standards.\n2. Evaluate the resources and appropriate skills needed throughout the agency         Recommendation closed.\n   to meet FEC\xe2\x80\x99s financial management and reporting responsibilities and\n   implement a plan on achieving the results and recommendations of the\n   evaluation.\n3. Ensure that appropriate and on-going training is provided to FEC employees         Recommendation closed.\n   on federal accounting and reporting and the accounting service provider\xe2\x80\x99s\n   financial system. Also, ensure OCFO personnel are properly cross-trained in\n   department activities.\n4. Formalize and periodically update policies and procedures to a) ensure             Recommendation open.\n   segregation of duties, b) provide guidance to management and staff in\n   recording both recurring and unique transactions, including budgetary\n   accounts, and c) provide guidance to management and staff in executing the\n   financial statement preparation process in a manner that enhances the\n   timeliness of financial statement preparation and minimizes the risk of\n   preparing inaccurate financials.\n5. Implement control activities to help ensure accounting transactions are            Recommendation open.\n   recorded correctly, timely and are properly reviewed and adequate support\n   documentation is maintained.\n6. Establish formalized policies and procedures for performing continuous             Recommendation closed.\n   assessment of risk factors associated with financial reporting, evaluating\n   relevant controls and developing or redesigning controls to mitigate risks.\n   These policies should include a well-defined documentation process that\n   contains an audit trail, verifiable results, and specific retention periods so\n   that someone not connected with the procedures can understand the\n   assessment process.\n7. Enforce the use of the Finance Office Check List throughout the entire fiscal      Recommendation closed.\n   year.\n8. Establish a mechanism for tracking manual journal entries sent to the              Recommendation closed.\n   service provider and maintaining associated support documents.\n9. Develop or redesign controls that strengthen the accountability structure          Recommendation closed.\n   related to the process for resolving audit findings.\n10.Re-evaluate if interfacing its standalone financial management systems with        Recommendation open.\n   the service provider\xe2\x80\x99s system is feasible and/or cost effective. If not feasible\n   and/or cost effective, consider the subsystems used by the service provider\xe2\x80\x99s\n   financial management systems.\n11.Finalize and implement FEC\xe2\x80\x99s information classification policy and                 Recommendation closed.\n   certification and accreditation policy along with any accompanying\n   standards.\n12.Incorporate the results of risk assessments into FEC security plans.               Recommendation closed.\n13.Utilize corrective action plans for all reviews of security controls whether       Recommendation closed.\n   performed internally or by a third-party.\n\n\n\n\n   Leon Snead & Company, P.C.                                24\n\x0c14.Certify and accredit all major applications and mission critical general     Recommendation closed.\n   support systems.\n15.Implement a process to ensure that background investigations are performed   Recommendation closed.\n   on all contractors prior to granting them access to FEC system resources.\n16.FEC should move all of its PeopleSoft financial processing capabilities to   Recommendation open.\n   GSA or update its existing platform to vendor-supported versions/releases.\n17.Develop and implement a Disaster Recovery Continuity of Operations Plan      Recommendation open.\n   (COOP).\n18.FEC should promptly terminate access to FEC resources for separated          Recommendation open.\n   employees. Procedures should be documented and implemented to\n   coordinate separations between Human Resources and IT management to\n   ensure user accounts are immediately disabled upon termination.\n19.Implement an exit clearance process to track separated FEC contractors and   Recommendation closed.\n   ensure that their access permissions are removed and all FEC property has\n   been returned.\n\n\n\n\n   Leon Snead & Company, P.C.                           25\n\x0c                                 Federal Election Commission                           Appendix 2\n                                2009 Financial Statement Audit\n                            Management Responses to Audit Findings\xc2\xa0\n                                                  \xc2\xa0\n\nAudit Recommendation #1: Strengthen controls over the accruals of accounts payable, and\nensure that supervisory reviews of accounts payable accruals are performed.\n\nAudit Recommendation #2: Update OCFO policies to incorporate the new strengthened\nprocesses for identifying and posting accounts payable accruals.\n\nManagement Responses for Recommendations #1 and #2: Management partially concurs.\nManagement concurs that it is important to have appropriate controls over the accruals of\naccounts payable. However, Management notes that the referenced Statement of Federal\nFinancial Accounting Standards (SFFAS) 5, Accounting for Liabilities of the Federal\nGovernment, is not the appropriate criteria to cite when discussing deficiencies with accounts\npayable accruals. The Scope of SFFAS #5 paragraphs 2 and 3 specifically states:\n\n       \xe2\x80\x9c2. This Statement articulates a general principle that should guide preparers of\n       general purpose federal financial reports. It also provides more detailed guidance\n       regarding liabilities resulting from deferred compensation, insurance and\n       guarantees (except social insurance), certain entitlements, and certain other\n       transactions. The Statement addresses liabilities not covered in Statement of\n       Federal Financial Accounting Standards (SFFAS) Number 1, Accounting for\n       Selected Assets and Liabilities\xe2\x80\xa6\n\n       3. The concept of a liability in this document is consistent with those in Statements\n       Number 1 and 2. The definition amends the stated definition of a liability in\n       SFFAS Number 1. This Statement establishes accounting for liabilities not\n       covered in SFFAS No. 1 and 2. Statement Number 1 addresses only those selected\n       liabilities that routinely recur in normal operations and are due within a fiscal\n       year. The liabilities covered in Statement Number 1 are accounts payable, interest\n       payable, and other current liabilities, such as accrued salaries, accrued\n       entitlement benefits payable, and unearned revenue.\xe2\x80\x9d\n\nManagement recognizes that one invoice was improperly excluded from the accounts payable\nestimate as of September 30, 2008. However, we feel this was an isolated incident and the issue\nnoted is not indicative of a lack of internal controls over financial reporting. In our opinion, the\nerror noted is immaterial to the FY 2008 and FY 2009 financial statements taken as a whole.\n\nManagement believes that the appropriate controls were already in place in FY 2008. However,\nManagement concurs that the operational documentation at the end of FY 2008 lacked clarity.\nTherefore, during the preparation of the FY 2009 second quarter interim statements, the Office of\nthe Chief Financial Officer (OCFO) proactively strengthened its written procedures for this\nprocess of identifying and posting estimated accounts payable. Management notes that the\nimproved written procedures were in place for the remainder of the year. The accounts payable\naccrual process has since been added to the draft version of the Accounting Manual.\nManagement expects to release the updated Accounting Manual within the next 180 days.\n\n\n                                                26\n\xc2\xa0\n\xc2\xa0\n\x0c                                Federal Election Commission                          Appendix 2\n                               2009 Financial Statement Audit\n                           Management Responses to Audit Findings\xc2\xa0\n                                                \xc2\xa0\nAudit Recommendation #3: Re-emphasize, in writing, to purchase cardholders and managers\ntheir responsibilities associated with managing the purchase card program payment process and\nthe need for effective internal controls as discussed in FEC Procurement Procedures.\n\nManagement Response for Recommendation #3: Management concurs that the credit card\nstatement should have been reconciled by the original card holder. However, Management\nbelieves that the corrections needed to address this issue have already been put in place. At the\ntime that the balance was identified, the individual no longer worked for the agency. As part of\nthe approved procurement procedures, OCFO requires annual training through the GSA website\nfor purchase card holders. This was an exception to FEC\xe2\x80\x99s approved processes and is not\nindicative of the FEC purchase card process.\n\nAdditionally, as part of the corrective action plan prepared in response to an OIG procurement\naudit, the OCFO is already in the process of revising and strengthening the purchase card\nprocedures.\n\nAudit Recommendation #4: Update and issue the Accounting Manual within the next six\nmonths.\n\nAudit Recommendation #5: Establish a policy that requires OCFO policies and procedures to\nbe periodically reviewed and updated, such as on a two to three year cycle.\n\nManagement Responses to Recommendations #4 and #5: Management partially concurs.\nManagement concurs that having current policies and procedures are an important aspect of\neffective financial management. However, Management believes that a significant amount of\nwork to address these recommendations has already been accomplished.\n\nThe following is the status of OCFO Policies and Procedures:\n\nOCFO Policies and Procedures\nPolicy Name       Original         Latest             Revision Status Last           Document\n                  Date             Revision                           Approval       Type\nAccounting        4/1/2006         6/30/2009          Regularly       Director of    Policy\nManual                                                updated on an Finance\n                                                      as-needed basis\nAP        Accrual    4/13/2009     8/12/2009          Final           Director of    Operational\nProcess                                                               Finance        Procedure\nFunds      Control    Non-         6/22/2009          Final           CFO            Policy\nDocument             applicable\nFinancial            5/28/2009     5/28/2009          Final            CFO           Policy\nStatement\nPreparation\nGuidance\nFixed        Asset   10/7/2005     5/18/2009          Final            Director of Policy\nPolicy Guide                                                           Finance\n\n                                               27\n\xc2\xa0\n\xc2\xa0\n\x0c                                Federal Election Commission                         Appendix 2\n                               2009 Financial Statement Audit\n                           Management Responses to Audit Findings\xc2\xa0\n                                                \xc2\xa0\nPPE (Exhibit 3- 4/1/2006           5/20/2009          Final           Director of Operational\n29) of Accounting                                                     Finance     Procedure\nManual\nProcurement       6/12/2008        6/12/2008          Final           CFO           Policy\nOffice Policy &\nProcedures\nSAS 70 review 9/29/2009            10/9/2009          Final           Director of Policy\npolicy                                                                Finance\n\nThe above table shows that OCFO actively reviews and updates policies and procedures\nregularly.\n\nManagement does not concur that the Accounting Manual was in draft as of September 30, 2009.\nAs indicated above, the Accounting Manual was first released on April 1, 2006. Only certain\nsections that related to the accounting system migration from PeopleSoft to GSA\xe2\x80\x99s Pegasys were\nbeing updated during FY 2009. Therefore, Management believes that the Accounting Manual\nwas in place for FY 2009 and plans to complete the update in the next 180 days.\n\nAudit Recommendation #6: Partner with FEC service providers to develop a time-phased plan\nto convert the manual systems and processes to automated systems that are integrated or\ninterfaced with the core accounting system. Establish a goal of converting these systems by the\nend of 2010.\n\nManagement Response to Recommendation #6: Management concurs that it is important for\nagencies to look to automate where appropriate and cost-effective. The OCFO has worked\nclosely with GSA, NFC and OMB in order to identify opportunities for further automation with\ncurrent systems. Management notes that manual processes do not always introduce risk. The\nOCFO has implemented necessary compensating controls to minimize risks of any manual\nprocesses. We believe the results of our annual FMFIA assessment as well as the results of the\nFY 2009 financial statement audit provide us a reasonable basis for concluding that the FEC\xe2\x80\x99s\ncontrols are operating effectively. However, we will continue to evaluate the potential benefits\nof adopting automated systems and implementing interfaces to streamline financial processes.\n\nAudit Recommendation #7: Formally adopt as a model for the FEC the NIST information\ntechnology (IT) security controls established in FIPS 200, Minimum Security Requirements for\nFederal Information and Information Systems, and SP 800-53, Recommended Security Controls\nfor Federal Systems and Organizations.\nAudit Recommendation #8: Perform, on an annual basis, an independent assessment to\ndetermine whether the FEC\xe2\x80\x99s agency-wide IT security program meets minimum security controls\nestablished by NIST.\nManagement Response #7 and #8: Management does not concur with these two\nrecommendations for the following reasons:\n    \xe2\x80\xa2   The FEC is already closely mirroring the NIST framework and deviates from the NIST\n\n                                               28\n\xc2\xa0\n\xc2\xa0\n\x0c                                Federal Election Commission                         Appendix 2\n                               2009 Financial Statement Audit\n                           Management Responses to Audit Findings\xc2\xa0\n                                                \xc2\xa0\n       model only after careful evaluation.\n    \xe2\x80\xa2\t The FEC is already utilizing the IT security controls specified in FIPS 200 and SP 800-53\n       as guidance.\n    \xe2\x80\xa2\t The FEC is developing a continuous monitoring program to assess whether the agency is\n       effectively meeting its minimum security controls. This continuous monitoring program\n       and security control assessment uses NIST documentation as guidance.\n    \xe2\x80\xa2\t Congress exempted the FEC from NIST, and it would be improper for the FEC\xe2\x80\x99s Office\n       of Chief Information Officer to disregard the will of Congress.\n    \xe2\x80\xa2\t It was not the original intent of NIST to impose a set of standards to which all Federal\n       agencies must adhere. Rather, NIST states that \xe2\x80\x9cthe purpose of its documentation is to\n       provide guidance.\xe2\x80\x9d See concluding statement\n    \xe2\x80\xa2\t It would not be in the agency\xe2\x80\x99s best interest to exclude automatically other possible\n       sources of best practice due to adherence to one standard.\n\nThe 2009 CFO audit report also discussed at length issues the FEC had already identified and\ndeveloped POA&Ms to address prior to that audit. These issues were identified because the FEC\ncontracted with an independent vendor to conduct an unbiased risk assessment and system test\nand evaluation (ST&E). This independent risk assessment and ST&E are components of the\nCommission\xe2\x80\x99s Certification & Accreditation program.\n\nAudit Recommendation #9: Implement a process to require users\xe2\x80\x99 supervisors to re-certify a\nuser\xe2\x80\x99s access authorities at least annually, and maintain documentation to support that actions\nwere taken to address any changes required by the reviews.\n\nManagement Response #9: Management concurs with this recommendation and will include\nsampling user\xe2\x80\x99s access for re-certification by access authorities to its continuous monitoring\nprogram. The FEC has researched, tested and purchased software to perform this function.\n\nAudit Recommendation #10: Adopt Federal Desktop Core Configuration (FDCC) standards,\nand develop a POA&M to implement these standards by end of FY 2010.\n\nManagement Response #10: Management concurs with this recommendation and has included\nit within the GSS POA&M. The FEC has formed a NIST FDCC team to evaluate, test and\nimplement NIST FDCC\xe2\x80\x99s security settings. However, best practice dictates that management\nstrive to strike a balance between security and business needs. Therefore, the FEC reserves the\nright to implement only those controls it deems appropriate for its computing environment.\n\nAudit Recommendation #11: Include workstations and devices attached to the network in\nperiodic scans performed by the FEC.\n\nManagement Response #11: Management concurs with this recommendation; however, the\nFEC will need to evaluate the feasibility of scanning all of the agency\xe2\x80\x99s workstations to\ndetermine if additional software tools and staff are required to implement this control.\n                                               29\n\xc2\xa0\n\xc2\xa0\n\x0c                                Federal Election Commission                          Appendix 2\n                               2009 Financial Statement Audit\n                           Management Responses to Audit Findings\xc2\xa0\n                                                \xc2\xa0\n\nAudit Recommendation #12: Maintain documentation showing actions taken to address the\nproblems identified by the vulnerability scans.\n\nManagement Response #12: Management concurs with this recommendation and has included\nit within the GSS POA&M.\n\nAudit Recommendation #13: Implement best practice controls over the FEC\xe2\x80\x99s dial-up access.\n\nManagement Response #13: Management does not concur with this recommendation. FEC\ndial-up users make a direct connection to the FEC\xe2\x80\x99s modem pool when establishing a remote\nconnection. Thus, an encrypted line is not necessary.\n\nAlthough the NIST standard dictates that encryption be applied for a remote dial-up connection,\nthe requirement is based upon employing the Internet as a communications channel between the\ntwo end-points (the FEC LAN and the remote user\xe2\x80\x99s laptop). This premise does not take into\naccount the possibility of simply bypassing the Internet.\n\nIn the NIST scenario, the use of encryption would be advocated because data passing through the\nInternet communications channel would be unsecure. However, the FEC does not utilize the\nInternet as a communications channel when a remote user connects to the FEC LAN during a\ndial-up connection. FEC dial-up users make a direct connection to the FEC\xe2\x80\x99s modem pool when\nestablishing a remote connection; therefore, an encrypted line is not necessary.\n\nThe FEC remote dial-up scenario is analogous to the FEC Human Resources (HR) Office\nconnecting to the Office of Personnel Management (OPM) over a phone to discuss a sensitive\nissue. When HR establishes a phone connection to OPM, it is considered relatively secure\nbecause there is a direct connection between the two. This is the same process that occurs when\na remote dial-up user connects to the FEC LAN, and it is relatively secure for the same reason:\nthere is a direct connection between the two parties.\n\nThe only time communications would pass through the Internet would be if one (or both) parties\nare employing Voice over Internet Protocol (VoIP). At that point, encryption is automatically\napplied by the VoIP technology. The cost of adding additional overhead caused by encryption\noutweighs the benefits to an already slow communications link.\n\nAudit Recommendation #14: Review the circumstances surrounding the untimely removal of a\nseparated employee\xe2\x80\x99s access to the FEC\xe2\x80\x99s network, and ensure controls are in place to remove\nemployees\xe2\x80\x99 access immediately upon departure.\n\nManagement Response #14: Management concurs with this recommendation and considers this\nissue closed. As indicated, for nine out of ten individuals who had separated during this period,\nnetwork accesses were removed by the next business day. The FEC investigated and concluded\nthe single oversight was due to the exiting employee failing to notify the appropriate offices.\n\n\n                                               30\n\xc2\xa0\n\xc2\xa0\n\x0c                                Federal Election Commission                            Appendix 2\n                               2009 Financial Statement Audit\n                           Management Responses to Audit Findings\xc2\xa0\n                                                 \xc2\xa0\nThe FEC has implemented compensating manual controls (email from HR to OIT Helpdesk on\ndeparture date) to ensure this oversight does not occur again. In addition, an automatic security\ncontrol will be implemented to provide better tracking of such issues in December 2009.\n\nAudit Recommendation #15: Develop an OCIO policy that requires standards, guidelines and\npolicies to be dated, authenticated with a signature and scheduled for review and update.\n\nManagement Response #15: Management concurs with this recommendation and will add it to\nthe GSS LAN POA&M. However, the FEC created 58A Information Technology Program\nPolicy, which was signed by the Chief Information Officer and dated September 17, 2004. This\npolicy serves as a single source reference for establishing uniform policies, responsibilities and\nauthorities for implementing the Federal Election Commission\xe2\x80\x99s Information System Security\nProgram. All subsequent IT security policies, standards and guidelines gain their authority from\nthis document, and dates and signatures are therefore not required. However, in the interest of\nclarity the FEC will evaluate the advantage of dating, authenticating by signature and including a\ndate for documents to be updated.\n\nAudit Recommendation #16: Prepare a detailed POA&M for items identified in the risk\nassessment of the GSS.\n\nManagement Response #16: Management concurs with this recommendation and will add it to\nthe GSS LAN POA&M.\n\nConcluding Statement for Auditor Findings # 7-16:\n\nAs indicated in the audit report, the FEC has corrected the majority of findings identified in the\n2008 financial statement audit report and has developed plans of actions and milestones\n(POA&M) to address all remaining deficiencies. The FEC has also developed POA&Ms to\naddress those deficiencies identified during the 2009 Chief Financial Officer (CFO) audit. The\nmajority of these deficiencies were brought to our attention prior to the 2009 CFO audit because\nthe FEC contracted an independent vender to conduct an unbiased risk assessment and system\ntest and evaluation (ST&E). This independent risk assessment and ST&E are components of the\nCommission\xe2\x80\x99s Certification & Accreditation program.\n\nA large portion of the 2009 audit report focuses on the CFO auditor\xe2\x80\x99s assertion that the FEC\nshould adopt Federal Information Security Act (FISMA) and National Institute of Standards and\nTechnology (NIST) guidance as a standard. Management does not concur with this assertion for\nseveral reasons. First, it would be improper for the FEC to disregard the will of Congress.\nCongress exempted the FEC from numerous laws and regulations. Whether Congress took this\nstep to allow the agency to maintain a sense of autonomy from other components of the Federal\ngovernment, or for other reasons, the fact remains that it did exempt the agency and that is the\nlaw.\n\nSecond, it should be noted that it was not the original intent of NIST to impose a set of standards\nto which all Federal agencies must adhere. As stated in NIST, \xe2\x80\x9cthe purpose of its documentation\n\n                                                31\n\xc2\xa0\n\xc2\xa0\n\x0c                                Federal Election Commission                           Appendix 2\n                               2009 Financial Statement Audit\n                           Management Responses to Audit Findings\xc2\xa0\n                                                \xc2\xa0\nis to provide guidance.\xe2\x80\x9d Bearing this in mind, the FEC does utilize NIST as one source of\nguidance when determining best practice. However, the FEC determined early in the policy\ndevelopment process that it would not be in the agency\xe2\x80\x99s best interest to automatically exclude\npossible sources of knowledge due to adherence to one standard. This was demonstrated when\nthe FEC engaged an independent contractor to perform an unbiased risk assessment and analysis\nof FEC security controls in its General Support System (GSS), the FEC Local Area Network\n(LAN). The independent contractor utilized the same NIST documentation as the CFO auditors\nwhen evaluating the FEC\xe2\x80\x99s risk posture and security controls.\n\nThe FEC is already closely mirroring the NIST framework and only deviates from the NIST\nmodel after careful evaluation of a given situation and when the agency has determined that there\nis either a better or more cost effective method of achieving its IT security goals. It should be\nnoted that NIST itself allows for justified deviations. One example is the FEC\xe2\x80\x99s justification for\nnot adhering to the NIST recommendation concerning remote access.\n\n\n\n\n                                               32\n\xc2\xa0\n\xc2\xa0\n\x0c                               Federal Election Commission                       Appendix 2\n                              2009 Financial Statement Audit\n                          Management Responses to Audit Findings\xc2\xa0\n                                              \xc2\xa0\nAudit Recommendation #17: FEC should develop and enforce policies and procedures for debt\ncollection that will ensure compliance with the DCIA and OMB A-129.\n\nManagement Response to Recommendation #17: Management concurs. On November 5,\nManagement presented to the Commission\xe2\x80\x99s Regulations Committee the need to establish\npolicies and procedures to ensure full compliance with the DCIA and OMB A-129. The\nCommission directed the OCFO and OGC to begin work to complete this project in calendar\nyear 2010. Management notes that this issue only impacts approximately 11% of FEC\xe2\x80\x99s debt.\n\n\n\n\n                                             33\n\xc2\xa0\n\xc2\xa0\n\x0c     CONTACTING THE OFFICE OF INSPECTOR GENERAL\nThe success of the OIG mission to prevent fraud, waste, and abuse depends on the\ncooperation of FEC employees (and the public). There are several ways to report\nquestionable activity.\n\n\n\n\n      Call us at 202-694-1015 (a confidential or anonymous message can be\n      left 24 hours a day/7 days a week) or toll-free at 1-800-424-9530 (press 0;\n      then dial 1015 - Monday - Friday 8:30am \xe2\x80\x93 5:00pm).\n\n\n\n\n      Write or visit us - we are located at: \t Federal Election Commission\n                                             Office of Inspector General\n                                             999 E Street, N.W., Suite 940\n                                             Washington, D.C. 20463\n\n      Mail is opened by OIG staff members only.\n\n\n\n\nYou can also fax (202-501-8134) or contact us by e-mail at: oig@fec.gov.\nWebsite address: http://www.fec.gov/fecig/fecig.shtml\n\n\nIndividuals may be subject to disciplinary or criminal action for knowingly making\na false complaint or providing false information.\n\x0c'